Interesting People mailing list archives
bank privacy policy vs reality
From: Dave Farber <dave () farber net>
Date: Thu, 22 Jan 2004 21:44:42 -0500
Delivered-To: dfarber+ () ux13 sp cs cmu edu Date: Thu, 22 Jan 2004 18:41:12 -0800 From: mis () seiden com Subject: bank privacy policy vs reality To: rburnett () orlandosentinel com (dave, you can use for IP if you consider suitable) your piece reporting on the crg survey was interesting but didn't go at all far enough. from my perspective as an information security assessor and auditor, the problem is often that the financial services companies don't practice quite what they preach, and leak customer private information because of poor implementation and reliance on third parties (outsourcers) who have implementation untested by the banks themselves. luckily there are legal protections in the US for consumers against fraudulent funds transfers and charges, but this means the cost of fraud is hidden in the cost of every banking and retail credit activity (the money has to come from somewhere...), creating a corrupt system which hides the costs of poor security from consumers. moreover, these days banking seems to be mostly a business that brands a bunch of services, assumes and manages some financial risk (laying off as much as possible on third parties), and then outsources operations to fourth parties as much as possible. i agree with the citibank guy that the real problem with some of these surveys is it's unclear what they measure, but doubtless they measure different things. makes me wonder do they pay to be surveyed, are the surveys blind or with their knowledge and cooperation, is there actual testing of whether they walk the walk or just talk the talk, or are the surveys based mostly on representations from web browsing, etc. looking at the CRG survey, i don't think there's a "consumer reports" here: for example, looking the CRG web site (customerrespect.com), under products/services, then methodology, i see what appears they've done is a checklist-based usability test of the web site according to five core elements of usability, a close reading of the privacy policy (but not how well it's actually implemented). two of the core elements (responsiveness and attitude) seem to include testing of actual performance by sending email asking a question (i wonder what question they asked). CRG say they include 50+ attributes in the Customer Respect Index, the CRI, so we know the size of the checklist. what they don't seem to say is whether they actually opened accounts at the banks, online or otherwise. they don't say what personal information was requested or collected by the bank *prior* to opening an account or due to the US Patriot Act, which seems to have had the main effect of giving the banks a blank check to collect way more information than they need to identify a customer. there is a big focus on whether the site uses cookies, which is a tip-off that they a bit confused. (if you don't understand the issue, this would be superficially like making big deal about whether a supermarket simply *has* an affinity card, rather than *how they use it*. for banks this is particularly nonsensical, since banks MUST know their customers, or at least that customer X is the same as the person who opened (or logged into) account Y, and that's what cookies are used for.) also, as a factual error, it appears from this page that the CRI does *not* include the privacy evaluation as a component, but only the other 5 "core elements". you say it includes "all of the criteria". it would be interesting to know how they weight the components, i suspect 2 points for each element adds up to 10. i applaud their desire to assess usability, but there is a big question whether it's possible to compare usability across different industries where the functional and compliance requirements (hence the privacy requirements) are much different. (at least they recognize the privacy component differs, so exclude it from the CRI.) i use a couple dozen online banking and financial services, among all the banks, credit cards, brokerage, insurance, and retirement accounts i've ended up with over the years due to mergers and acquisitions, changes of employment, etc. they have quite different qualities of technical service, functionality, and customer service. some of them are so bad they're cryable, and it's almost impossible to find the right person to talk to at the institution through the gardol shield of customer "service" (who always asks "have you rebooted your machine?"). for example, there was the bank where i noticed that by simply typing a URL at a web browser you could retrieve someone else's partially completed credit application... i'll bet that wasn't covered in their privacy policy! but it was like pulling teeth to get them to fix it, until i finally faxed the bank chief counsel and president about it. then there was the financial services company that retained your tax returns ONLINE FOREVER, "just in case" they were needed by the IRS. retention is also often not covered in the privacy policy. etc. etc. --mark seiden, cissp, cisa
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- bank privacy policy vs reality Dave Farber (Jan 22)